Red Hat Bugzilla – Bug 151180
Missing HTML escaping/XSS: <script>alert('hello world')</script>
Last modified: 2007-04-18 13:20:52 EDT
There seems to be a missing HTML escaping / possible cross site scripting
problem with the beta Bugzilla summaries, as probably reproduced by the summary
of this bug. After modifying a bug, the <h1> in the "Bug XXX processed: ..."
response page contains the summary passed through as-is.
Yep, it is reproduced by the summary in this bug. Testing non-beta
Bugzilla with this comment...
Nope, only the beta is affected.
thanks for the head's up. testing change to see if this is fixed with this comment.
Seems to be fixed now.